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■ A locally decodable code encodes n-bit strings x in m-bit codewords C(x), in such a way 

| that one can recover any bit Xi from a corrupted codeword by querying only a few bits of that 

word. We use a quantum argument to prove that LDCs with 2 classical queries need exponential 
' length: m = 2 n ("). Previously this was known only for linear codes (Goldreich et al. 02). Our 

proof shows that a 2-query LDC can be decoded with only 1 quantum query, and then proves 
an exponential lower bound for such 1-query locally quantum-decodable codes. We also show 
that q quantum queries allow more succinct LDCs than the best known LDCs with q classical 
queries. Finally, we give new classical lower bounds and quantum upper bounds for the setting 
of private information retrieval. In particular, we exhibit a quantum 2-server PIR scheme with 
0(n 3 / 10 ) qubits of communication, improving upon the 0{n 1 ^) bits of communication of the 
best known classical 2-server PIR. 
, 
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1 Introduction 



Error-correcting codes allow one to encode an re-bit string x into an m-bit codeword C(x), in 
such a way that x can still be recovered even if the codeword is corrupted in a number of places. 
For example, codewords of length m = 0{n) already suffice to recover from errors in a constant 
fraction of the bitpositions of the codeword (even in linear time fll9| ). One disadvantage of such 
"standard" error-correction, is that one usually needs to consider all or most of the (corrupted) 
codeword to recover anything about x. If one is only interested in recovering one or a few of the 
bits of x, then more efficient schemes are possible, so-called locally decodable codes (LDCs). LDCs 
allow us to extract small parts of encoded information from a corrupted codeword, while looking at 
("querying") only a few positions of that word. They have found various applications in complexity 
theory and cryptography, such as self-correcting computations, PCPs, worst-case to average-case 
reductions, and private information retrieval. Informally, LDCs are described as follows: 

A (q, 5, e) -locally decodable code encodes n-bit strings x into m-bit codewords C(x), 
such that for each i, the bit Xi can be recovered with probability 1/2 + e making only 
q queries, even if the codeword is corrupted in 5m of the bits. 

For example, the Hadamard code is a locally decodable code where two queries are sufficient in 
order to predict any bit with constant advantage, even with a constant fraction of errors. The code 
has m = 2 n and C{x)j = j ■ x mod 2 for all j E {0, l} n . Recovery from a corrupted codeword y is 
possible by picking a random j £ {0, l} n , querying yj and yj® ei > and outputting the XOR of those 
two bits. If neither bit has been corrupted, then we output yj © yj® ei = 3 ■ x ffi (j ffi ej) • x = • x = Xi, 
as we should. If C(x) has been corrupted in at most 5m positions, then a fraction of at least 1 — 25 
of all © ej) pairs of indices is uncorrupted, so the recovery probability is at least 1 — 25. This 
is > 1/2 as long as 5 < 1/4. The main drawback of the Hadamard code is its exponential length. 

Clearly, we would like both the codeword length m and the number of queries q to be small. 
The main complexity question about LDCs is how large m needs to be, as a function of n, q, 5, and 
e. For q = polylog(n), Babai et al. [Q showed how to achieve length m = 0(n 2 ), for some fixed 5, e. 



This was subsequently improved to nearly linear length by Polishchuk and Spielman [16|. Beimel 



et al. U recently improved the best known upper bounds for constant q to m = 2 n0{ - loelosq/qlosq \ 
with some more precise bounds for small q. 



The study of lower bounds on m was initiated by Katz and Trevisan [11|. They proved that 
for q = 1, LDCs do not exist if n is larger than some constant depending on 5 and e. For q > 2, 
they proved a bound of m = f2(n 9 /( 9-1 )) if the q queries are made non-adaptively; this bound 
was generalized to the adaptive case by Deshpande et al. Q. This establishes superlinear but at 
most quadratic lower bounds on the length of LDCs with a constant number of queries. There 
is still a large gap between the best known upper and lower bounds. In particular, it is open 
whether m = poly(n) is achievable with constant q. Recently, Goldreich et al. (l(J examined the 
case q = 2, and showed that m > 2 5en / 8 if C is a linear code. Obata Jll] subsequently strengthened 
the dependence on e to m > 2^( 5ri /( 1 ~ 2e )) , which is essentially optimal. 

Katz and Trevisan, and Goldreich et al. established a close connection between locally decodable 
codes and private information retrieval (PIR) schemes. In fact, the best known LDCs for constant 
q are derived from PIR schemes. A PIR scheme allows a user to extract a bit X{ from an re-bit 
database x that is replicated over some k > 1 servers, without the server(s) learning which i the 
user wants. The main complexity measure of a PIR scheme is its communication complexity, i.e., 
the sum of the lengths of the queries that the user sends to each server, and the length of the 
servers' answers. If there is only one server (k = 1), then privacy can be maintained by letting 
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the server send the whole n-bit database to the user. This takes n bits of communication and is 
optimal. If the database is replicated over k > 2 servers, then smarter protocols are possible. Chor 
et al. H exhibited a 2-server PIR scheme with communication complexity 0{n 1 ^ i ) and one with 
0(n l l k ) for k > 2. Ambainis improved the latter to 0(n 1 ^ 2fc ~ 1 - ) ). Beimel et al. j|] improved the 
communication complexity to 0(n 21 ° s ^ ogk / kl ° sk ); their results improve the previous best bounds 
for all k > 3 but not for k = 2. No general lower bounds better than fi(logn) are known for PIRs 
with k > 2 servers. A PIR scheme is linear if for every query the user makes, the answer bits are 
linear combinations of the bits of x. Goldreich et al. proved that linear 2-server PIRs with t-bit 
queries and a-bit answers where the user looks only at k predetermined positions in each answer, 
require t = Q.{n/a k ). 



1.1 Our results: Locally decodable codes 

The main result of this paper is an exponential lower bound for general 2-query LDCs: 

A (2, 5, e)-locally decodable code requires length m > 2 cn ~ 1 , 

for c = 1 — H(l/2 + 35e/14), where H(-) is the binary entropy function. This is the first superpoly- 
nomial lower bound on general LDCs with more than one query. Our constant c in the exponent 
is somewhat worse than the ones of Goldreich et al. and of Obata, but our proof establishes the 
exponential lower bound for all LDCs, not just linear ones. In the body of the paper we will focus 
only on codes over the binary alphabet. In Appendix [B] we show how to extend our result to the 
case of larger alphabets, using a classical reduction due to Trevisan. 

Our proof introduces one radically new ingredient: quantum computing. We show that if 
two classical queries can recover Xi with probability 1/2 + e, then Xi can also be recovered with 
probability 1/2 + 4e/7 using only one quantum query]]] In other words, a (2, 5, e)-locally decodable 
code is a (1, 5, 4e/7)-locally quantum-decodable code. We then prove an exponential lower bound 
for 1-query LQDCs by showing, roughly speaking, that a 1-query LQDC of length m induces a 
quantum random access code for x of length logm. Nayak's [|^] linear lower bound on such codes 
finishes off the proof. For the sake of completeness, we include a proof of his result in Appendix [A]. 

This lower bound for classical LDCs is one of the very few examples where tools from quantum 
computing enable one to prove new results in classical computer science. We know only a few 
other examples of this.0 Radhakrishnan et al. |l7| proved lower bounds for the set membership 
data structure that hold for quantum algorithms, but are in fact stronger than the previous classical 
lower bounds of Buhrman et al. Q. Sen and Venkatesh did the same for data structures for the 
predecessor problem 18, quant-ph version]. Finally, Klauck et al. [12] proved lower bounds for 



the fc-round quantum communication complexity of the tree-jumping problem that are somewhat 
stronger than the previous best classical lower bounds. In these cases, however, the underlying 
proof techniques easily yield a classical proof. Our proof seems to be more inherently "quantum" 
since there is no classical analog of our 2-classical-queries-to-l-quantum-query reduction (2-query 
LDCs exist but 1-query LDCs don't). 

We also observe that our construction implies the existence of 1-query quantum-decodable codes 
for all n. The Hadamard code is an example of this. Here the codewords are still classical, but the 
decoding algorithm is quantum. As mentioned before, if we only allow one classical query, then 
LDCs do not exist for n larger than some constant depending on 8 and e ||ll[. For larger q, it 



x One can't reduce 3 classical queries to 1 quantum query, because the XOR of 3 bits requires 2 quantum queries. 
2 The quantum lower bound on the communication complexity of the inner product function of Cleve et al. |Q| 
provides new insight in a classical result, but does not establish a new result for classical computer science. 
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turns out that the best known (2g, 5, e)-LDCs, due to Beimel et al. (||, are actually (9, 5, e)-LQDCs. 
Hence for fixed number of queries q, we obtain LQDCs that are significantly shorter than the best 
known LDCs. In particular, Beimel et al. give a 4-query LDC with length m = 2°( n3/1 °) which is 
a 2-query LQDC. This is significantly shorter than the m = 2®^ that 2-query LDCs need. We 
summarize the situation in the following table, where our contributions are indicated by boldface. 



Queries 


Length of LDC 


Length of LQDC 


9=1 


don't exist 


2 **(n) 


9 = 2 


2 6(n) 


2 0(n 3 / 10 ) 


9 = 3 


2 0(n 1 /2) 


2 0(n 1/T ) 


9 = 4 


2 0(n 3 / 10 ) 


2 0(n 1 / 11 ) 



Table 1: Best known bounds on the length of LDCs and LQDCs with q queries 



1.2 Our results: Private information retrieval 

In the private information retrieval setting, our techniques allow us to reduce classical 2-server PIR 
schemes with 1-bit answers to quantum 1-server PIRs, which in turn can be reduced to a random 
access code [|l|. Thus we obtain an O(n) lower bound on the communication complexity for all 
classical 2-server PIRs with 1-bit answers. Previously, such a bound was known only for linear 
PIRs (first proven in Jp], Section 5.2] and extended to linear PIRs with constant-length answers 
in [^0|). In Appendix |B| we extend our lower bound to PIR schemes with larger answers. 

Apart from giving new lower bounds for classical PIR, we can also use our 2-to-l reduction to 
obtain quantum PIR schemes that beat the best known classical PIRs. In particular, Beimel et 
al. 0, Example 4.2] exhibit a classical 4-server PIR scheme with 1-bit answers and communication 
complexity 0(ra 3 / 10 ). We can reduce this to a quantum 2-server PIR with 0(n 3 / 10 ) qubits of 
communication. This beats the best known classical 2-server PIR, which has complexity 0(n 1 / 3 ). 
We can similarly give quantum improvements over the best known /c-server PIR schemes for k > 2. 
However, this does not constitute a true classical-quantum separation in the PIR setting yet, since 
no good lower bounds are known for classical PIR. We summarize the best known bounds for 
classical and quantum PIR below. 



Servers 


PIR complexity 


QPIR complexity 


k = 1 


Q{n) 


9(n) 


k = 2 


0{n l l*) 


0(n 3 / 10 ) 


k = 3 


0{nV 5 - 25 ) 


0(n 1 /7) 


k = 4 


( n l/7.87) 


Oin 1 / 11 ) 



Table 2: Best known bounds on the communication complexity of classical and quantum PIR 



2 Preliminaries 
2.1 Quantum 

Below we give more precise definitions of locally decodable codes and related notions, but we first 



briefly explain the standard notation of quantum computing. We refer to Nielsen and Chuang [14] 
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for more details. A qubit is a linear combination of the basis states |0) and |1), also viewed as a 
2-dimensional complex vector: 

a |0) +Qi|l) = 

where a^,a\ are complex amplitudes, and |ao| 2 + |«i| 2 = 1- 

The 2 m basis states of an m-qubit system are the m-fold tensor products of the states |0) and 
|1). For example, the basis states of a 2-qubit system are the four 4-dimensional unit vectors 
|0)<g>|0), |0)(g)|l), |1)<8> |0), and |l)<g> |1). We abbreviate, e.g., |1)<8 |0) to |0)|1), or |1,0), or |10), or 
even |2) (since 2 is 10 in binary). With these basis states, an m-qubit state \(f>) is a 2 m -dimensional 
complex unit vector 

\4>) = <*<!*>■ 

ie{o,i} m 

We use (4>\ = \(j)}* to denote the conjugate transpose of the vector \<f>), and (c/)\tp) = (<fi\ ■ |^) for 
the inner product between states \(j>) and \ip). These two states are orthogonal if (0|V>) = 0. The 
density matrix corresponding to \<f>) is the outer product \(f>)(4>\- The density matrix corresponding 
to a mixed state, which is in pure state \4>i) with probability pi, is p = ^iPi\^>i){^>i\- ^ a 2-register 
quantum state has the form \(f>) = J2i \/Pi\i)\4>i} > then the state of a system holding only the second 
register of \<f>) is described by the (reduced) density matrix Y^iPil^i&l- 

The most general measurement allowed by quantum mechanics is a so-called positive operator- 
valued measurement (POVM). A /c-outcome POVM is specified by positive operators Ei = Ml Mi, 
1 < i < k, subject to the condition that J2i Ei = I- Given a state p, the probability of getting 
the ith outcome is pi = Tt(Eip) = Tt(MipM*). If the outcome is indeed i, then the resulting 
state is M, L pM* /Tr(MipM*). In particular, if p = \<f>)(<f>\, then p { = {<j>\Ei\<j>) = \\ Mi\(f>) || 2 , and 
the resulting state is Mj|</>)/|| Mi\<f>) \\. A special case is where k = 2 m and B = forms an 

orthonormal basis of the m-qubit space. "Measuring in the 5-basis" means that we apply the 
POVM given by Ei = M; L = \i/ji)(ipi\. Applying this to a pure state \<p) gives resulting state \tpi) 
with probability pi = |(0|V^)| 2 - Apart from measurements, the basic operations that quantum 
mechanics allows us to do, are unitary (i.e., linear norm-preserving) transformations of the vector 
of amplitudes. 

Finally, a word about quantum queries. A query to an m-bit string y is commonly formalized 
as the following unitary transformation, where j £ [m], and b £ {0, 1} is called the target bit: 

\j)\b) ^ \j)\b® yj ). 

A quantum computer may apply this to any superposition. An equivalent formalization that we 
will be using here, is: 

|c)|i)^(-l) c *'|c)|i). 

Here c is a control bit that controls whether the phase (— l) Vj is added or not. Given some extra 
workspace, one query of either type can be simulated exactly by one query of the other type. 

2.2 Codes 

Below, by a 'decoding algorithm' we mean an algorithm (quantum or classical depending on context) 
with oracle access to the bits of some (possibly corrupted) codeword y for x. The algorithm gets 
input i and is supposed to recover Xj while making only few queries to y. 

Definition 1 C : {0, l} n — > {0, l} m is a (q, S, e)-locally decodable code (LDC) if there is a classical 
randomized decoding algorithm A such that 
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1. A makes at most q queries to y, non-adaptively. 



2. For all x and i, and all y £ {0, l} m with Hamming distance d(C(x),y) < 5m we have 
Pr[i4"(») = Xi] > 1/2 + e. 

The LDC is called linear if C is a linear function over GF(2) (i.e., C(x + y) = C{x) + C(y) ). 

By allowing A to be a quantum computer and to make queries in superposition, we can similarly 
define (q, 5, e) -locally quantum- decodable codes (LQDCs). 

It will be convenient to work with non-adaptive queries, as used in the above definition, so the 
distribution on the queries that A makes is independent of y. However, our main lower bound also 



holds for adaptive queries, see the first remark at the end of Section 3.3 



2.3 Private information retrieval 

Next we formally define private information retrieval schemes. 

Definition 2 A one-round, (l—5)-secure, k- server private information retrieval (PIR) scheme with 
recovery probability 1/2 + e, query size t, and answer size a, consists of a randomized algorithm 
representing the user, and k deterministic algorithms Si,... ,Sk (the servers), such that 

1. On input i 6 [n], the user produces k t-bit queries qi, . . . , q^ and sends these to the respective 
servers. The jth server sends back an a-bit string aj = Sj(x,qj). The user outputs a bit b 
depending on i,a%, . . . ,a^, and his randomness. 

2. For all x and i, the probability (over the user's randomness) that b = X{ is at least 1/2 + e. 

3. For all x and j, the distributions on qj (over the user's randomness) are 5-close (in total 
variation distance) for different i. 

The scheme is called linear if for every j and qj, the jth server's answer Sj{x,qj) is a linear 
combination (over GF(2)) of the bits of x. 

All known upper bounds on PIR have one round, e = 1/2 (perfect recovery) and 5 = (the servers 
get no information whatsoever about i). Below we will assume one round and 5 = without 
mentioning this further. We can straightforwardly generalize these definitions to quantum PIR for 
the case where 5 = (the server's state after the query should be independent of i), and that is 
the only case we will need here. 



3 Lower Bound for Locally Decodable Codes with Two Queries 

The proof has two parts, each with a clear intuition but requiring quite a few technicalities: 

1. A 2-query LDC gives a 1-query LQDC, because one quantum query can compute the same 
Boolean functions as two classical queries (albeit with slightly worse error probability). 

2. The length m of a 1-query LQDC must be exponential, because a uniform superposition over 
all its indices turns out to be a logm-qubit quantum random access code for x, for which a 
linear lower bound is already known Jl3| . 
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3.1 From 2 classical queries to 1 quantum query 

The key to the first step is the following lemma: 

Lemma 1 Let f : {0, l} 2 — ► {0, 1} and suppose we can make queries to the bits of some input 
string a = a\02 £ {0, l} 2 . There exists a quantum algorithm that makes only one query (one that is 
independent of f) and outputs /(o) with probability exactly 11/14, and outputs 1 — f(a) otherwise. 

Proof. The quantum algorithm makes the query i (|0)|1) + |1)|1) + |1)|2)) , where the first bit 
is the control bit, and the appropriate phase (— is added in front of \j) if the control bit is 1. 
The result of the query is the state 

i^) = _L(io)|i)+(-ini)ii) + (-ini)i2)). 

The algorithm then measures this state in a basis containing the following four states (b £ {0, l} 2 ): 

IV*) = \ (|0)|1) + + (-l) h2 |l)|2) + (-l) bl+b2 |0)|2>) . 

Note that these four states are orthogonal to each other. 

The probability of getting outcome a is |(^>|^/> a )| 2 = 3/4, and each of the other 3 outcomes 
has probability 1/12. The algorithm determines its output based on / and on the measurement 
outcome b. We distinguish 3 cases for /: 

1. |/(1) _1 | = 1 (the case |/(1) _1 | = 3 is completely analogous, with and 1 reversed). If 
f(b) = 1, then the algorithm outputs 1 with probability 1. If f(b) = then it outputs with 
probability 6/7 and 1 with probability 1/7. Accordingly, if f(a) = 1, then the probability of 
outputting 1 is Pr[/(6) = 1] • 1 + Pr[/(6) = 0] • 1/7 = 3/4 + 1/28 = 11/14. If f(a) = 0, then 
the probability of outputting is Pr[/(6) = 0] • 6/7 = (11/12) • (6/7) = 11/14. 

2. (/(I)" 1 ] = 2. Then Pr[/(o) = /(&)] = 3/4 + 1/12 = 5/6. If the algorithm outputs /(&) 
with probability 13/14 and outputs 1 — f(b) with probability 1/14, then its probability of 
outputting f(a) is exactly 11/14. 

3. / is constant. In that case the algorithm just outputs that value with probability 11/14. □ 

Peter H0yer (personal communication) recently improved the 11/14 in the above lemma to 
9/10, which we can show to be optimal. Using our lemma we can prove: 

Theorem 1 A (2, S, e) -locally decodable code is a (1,5, 4e/ '7) -locally quantum- decodable code. 

Proof. Consider some i, x, and y such that d(C(x),y) < dm. The 1-query quantum decoder 
will use the same randomness as the 2-query classical decoder. The random string of the classical 
decoder determines two indices j, k £ [m] and an / : {0, l} 2 — ► {0, 1} such that 

Pr [/(%■, y fc ) =xt] =p> 1/2 + e, 

where the probability is taken over the decoder's randomness. We now use Lemma [l] to obtain a 
1-query quantum decoder that outputs some bit o such that 

Pr[o = f( yj ,y k )} = 11/14. 
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The success probability of this quantum decoder is^\ 



Pr[o = Xi] = Pr[o = f(yj,Vk)} ■ ^[f(yj,Vk) = »i] + Pr[o ^ f(yj,Vk)} • Pr / Xi] 

11 3 . , 3 4 1 4e 
= 14 P+ 14 (1 - P) = 14 + 7 P " 2 + y 



3.2 Exponential lower bound for 1-query LQDCs 

A quantum random access code is an encoding x i— * p x of n-bit strings x into m-qubit states p^, 
such that any bit Xi can be recovered with some probability p > 1/2 + e from p x . The following 
lower bound is known on the length of such quantum codes (see Appendix [A| for a proof). 

Theorem 2 (Nayak) ^4n encoding x t— ► p x of n-bit strings into m-qubit states with recovery prob- 
ability at least p, has m > (1 — H(p))n. 

This allows us to prove an exponential lower bound for 1-query LQDC: 

Theorem 3 If C : {0,1}™ — > {0, l} m is a (1, 5, e) -locally quantum- decodable code, then 



forc = l-H(l/2 + 5e/4). 

Proof. We fix i. Let \Q) = Z)ce{o,l}j'e[m] a cj\ c )\j) De the query that the quantum decoder makes 
to recover X{. Let D and I — D be the two POVM operators that the decoder uses on the state 
\R) returned by the query, corresponding to outcomes 1 and 0, respectively. Its probability of 
outputting 1 on \R) is p(R) = (R\D\R) = \\ \f~D\R) \\ . Without loss of generality, we assume that 
all a c j are non-negative reals (this is the most general query a quantum decoder can ask, because 
complex phases and entanglement with its workspace can always be added by the decoder after 
the query). Since C is a LQDC, the decoder can recover Xj with probability 1/2 + e from the state 

E « ci (-i) c ^|c)ii) 

ce{o,i}jeM 

for every y such that d(C(x),y) < 5m. Our goal below is to show that we can also recover X{ with 
probability 1/2 + fe/4 from the uniform state 

\u(x)) = -±= e (-ir ci ^\c)\j). 

V2m ee{o,i},jeM 

Since \U(x)) is independent of i, we can actually recover any bit Xj with that probability. Hence 
\U(x)) is a (log(m) + l)-qubit random access code for x. Applying Theorem ^ gives the result. 

Inspired by the "smoothing" technique of [llj, we split the amplitudes ay of the query \Q) into 
small and large ones: A = {cj : a c j < y/l/Sm} and B = {cj : a c j > yl/8m\. Since the query 
does not affect the |0)|j)-states, we can assume without loss of generality that aoj is the same for 

3 Here we use the 'exactly' part of Lemma ^. To see what could go wrong if the 'exactly' were 'at least', suppose the 
classical decoder outputs AND(i/i, j/2) = Xi with probability 3/5 and XOR(j/3,y4) = 1 — Xi with probability 2/5. Then 
it outputs Xi with probability 3/5 > 1/2. However, if our quantum procedure computes AND(j/i,y2) with success 
probability 11/14 but XOR(y3,2/4) with success probability 1, then its recovery probability is (3/5)(ll/14) < 1/2. 
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all j, so aoj < 1/yfrn < l/V&m and hence Oj £ A. Let a = ^Jj2cjeA a cj be the norm of the 
"small-amplitude" part. Since 2~2cjeB a cj — 1> we nave l-^l < Define non-normalized states 

\A(x)) = J2(-iy c ^a cj \c)\j) and \B) = £ a cj \c)\j). 
cjeA cjeB 

The states |-A(x)) + \B) and |^4(x)) — \B) each correspond to a y £ {0, l} m that is corrupted 
(compared to C(x)) in at most \B\ < 5m positions, so the decoder can recover Xj from each of 
these states. If x has xi = 1, then 

p(A(x) + B)>l/2 + e and p(A(x) - B) > 1/2 + e. 

Since p(A±B) = p(A) +p(B) ± ((A\D\B) + averaging the previous two inequalities gives 

p(A(x))+p(B) > 1/2 + e. 

Similarly, if x' has x^ = 0, then 

p(A(x')) + p(B) < 1/2 -e. 

Hence, for the normalized states \A(x))/a and \A(x'))/a we have 

p{A{x)/a) -p{A{x)/a) > 2e/a 2 . 

Since this holds for every x, x' with x% = 1 and x\ = 0, there are constants qi, qo £ [0, 1], q\ — qo > 
2s/a 2 , such that p(A(x)/a) > (71 whenever X{ = 1 and p(A(x)/a) < qo whenever Xj = 0. 

If we had a copy of the state \A(x))/a, then we could run the procedure below to recover Xj. 
Here we assume that q\ > 1/2 + e/a 2 (if not, then we must have qo < 1/2 — e/a 2 and we can use 
the same argument with and 1 reversed), and that q\ + qo > 1 (if not, then qo < 1/2 — e/a 2 and 
we're already done). 

Output with probability q = 1 — 1/(91 + 90), 

and otherwise output the result of running the decoder's POVM on \A{x))/a. 
If Xi = 1, then the probability that this procedure outputs 1 is 

(1 - qM A(*)/a) > (1 - ,)* - ^ - \ + > i + 

If Xj = 0, then the probability that it outputs is 

q + (1 - - p(A(x)/a)) > q + (1 - g)(l - «,) = 1 - -^L- = > ± + 

9i +90 9i+9o 2 2a 2 

Thus, we can recover Xj with good probability if we had the state \A(x))/a. 

It remains to show how we can obtain \A{x))/a from \U(x)) with reasonable probability. 

This we do by applying a POVM with operators M^M and / - M+M to \U(x)), where M = 

V 8m 2~2 C jeA a cj I °j) ( c 3 1 ■ Both M^M and / — M^M are positive operators (as required for a POVM) 

because < V 5ma c j < 1 for all cj G A. The POVM gives the first outcome with probability 

(U(x)\M*M\U(x)) = ^ E 4 = ^/2. 

In this case we have obtained the normalized version of M\U(x)), which is \A(x))/a, so then we 
can run the above procedure to recover Xj. If the measurement gives the second outcome, then we 
just output a fair coin flip. Thus we recover x« from \U(x)} with probability at least 

(5a 2 /2)(l/2 + e/2a 2 ) + (1 - 5a 2 /2)l/2 = 1/2 + fe/4. □ 
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3.3 Exponential lower bound for 2-query LDCs 

Theorem 4 If C : {0,1}™ — > {0, l} m is a (2, 5, e) -locally decodable code, then 

m > 2 cn ~\ 

forc= 1- H(l/2 + 35e/U). 

Proof. The theorem follows by combining Theorems [l] and [|. Straightforwardly, this would 
give a constant of 1 — H(l/2 + 5e/7). We get the better constant claimed here by observing 
that the 1-query LQDC derived from the 2-query LDC actually has 1/3 of the overall squared 
amplitude on queries where the control bit c is zero (and all those a^j are in A). Hence in the 
proof of Theorem ||, we can redefine "small amplitude" to a c j < ^/2/3<5m, and still B will have at 
most 5m elements because 2~2 C j£B a cj — 2/3. This in turns allows us to make M a factor \/3/2 
larger, which improves the probability of getting \A(x))/a from \U(x)) to 35a 2 /4 and the recovery 
probability to 1/2 + 3fe/8. Combining that with Theorem |l| (which makes e a factor 4/7 smaller) 
gives c = 1 — H(l/2 + 3<5e/14), as claimed. □ 



Remarks: 

(1) A (2,5, e)-LDC with adaptive queries gives a (2, 6, e/2)-LDC with non-adaptive queries: if 
query q\ would be followed by query g° or Q2 depending on the outcome of q±, then we can just 
guess in advance whether to query q± and q®, or q\ and q\. With probability 1/2, the second query 
will be the one we would have made in the adaptive case and we're fine, in the other case we just 
flip a coin, giving overall recovery probability 1/2(1/2 + e) + 1/2(1/2) = 1/2 + e/2. Thus we also 
get slightly weaker but still exponential lower bounds for adaptive 2-query LDCs. 

(2) For a (2,5, e)-LDC where the decoder's output is the XOR of its two queries, we can give 
a better reduction than in Theorem EL In this case, the quantum decoder can apply his query to 
^(|1)|1) + |1)|2)), giving 

_L ((-ini)|i) + (-i)«|i>|2» = J- Qi)|i) + (-ir® a2 ii)|2)) , 

and extract a\ ©a2 from this with certainty. Thus the recovery probability remains 1/2 + e instead 
of going down to 1/2 + 4e/7. Accordingly, we also get slightly better lower bounds for 2-query 
LDCs where the output is the XOR of the two queried bits, namely c = 1 — H(l/2 + 35e/8). 

(3) In Appendix [B] we extend the lower bound to larger alphabets. 

4 Locally Quantum-Decodable Codes with Few Queries 

The second remark of Section [T^ immediately generalizes to: 

Theorem 5 A (2q,5,e)-LDC where the decoder's output is the XOR of the 2q queried bits, is a 
(q,5,e)-LQDC. 

LDCs with q queries can be obtained from g-server PIR schemes with 1-bit answers by con- 
catenating the answers that the servers give to all possible queries of the user. Beimel et al. |3|, 
Corollary 4.3] recently improved the best known upper bounds on g-query LDCs, based on their 
improved PIR construction. They give a general upper bound m = 2 n ° (loslos9 9logq) f or g.q Uer y 
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LDCs, for some constant depending on 5 and e, as well as more precise estimates for small q. In 
particular, for q = 4 they construct an LDC of length m = 2°( ra3/10 ). All their LDCs are of the 
XOR-type, so we can reduce the number of queries by half when allowing quantum decoding. For 
instance, their 4-query LDC is a 2-query LQDC with length m = 2°( n3/1 °). In contrast, any 2-query 
LDC requires length m = 2^( n ) as we proved above. 

For general LDCs we can do something nearly as good, using van Dam's result that a q-h\t 
oracle can be recovered with probability nearly 1 using q/2 + 0(y/q) quantum queries ||: 

Theorem 6 A (q, 5, e)-LDC is a (q/2 + 0(^/q), 5, e/2)-LQDC. 

5 Private Information Retrieval 
5.1 Lower bounds for classical PIR 

As mentioned, there is a close connection between locally decodable codes and private information 
retrieval. Our techniques allow us to give new lower bounds for 2-server PIRs. Again we give a 
2-step proof: a reduction of 2 classical servers to 1 quantum server, combined with a lower bound 
for 1-server quantum PIR. 

Theorem 7 If there exists a classical 2-server PIR scheme with t-bit queries, 1-bit answers, and 
recovery probability 1/2 + e, then there exists a quantum 1-server PIR scheme with (t + 2)-qubit 
queries, (t + 2)-qubit answers, and recovery probability 1/2 + 4e/7. 

Proof. The proof is analogous to the proof for locally decodable codes. If we let the quantum 
user use the same randomness as the classical one, the problem boils down to computing some 
/(ai,a2), where a\ is the first server's 1-bit answer to query q\, and ai is the second server's 1-bit 
answer to query ©• However, in addition we now have to hide i from the quantum server. This we 
do by making the quantum user set up the (4 + t)-qubit state 

-L(|0)|0,0*) + 11)11,^) + |2)|2 l5i! )), 

where '0*' is a string of t 0s. The user sends everything but the first register to the server. The 
state of the server is now a uniform mixture of |0, 0'), and 12,©). By the security of the 

classical protocol, |l,(?i) contains no information about i (averaged over the user's randomness), 
and the same holds for |2, ©). Hence the server gets no information about i. 

The quantum server then puts (— l) aj in front of \j, qj) (j G {1,2}), leaves |0,0*) alone, and 
sends everything back. Note that we need to supply the name of the classical server j £ {1,2} to 
tell the server in superposition whether it should play the role of server 1 or 2. The user now has 

_L (10)10,0*) + (-ini)|i, ft ) + (-in2)|2,©)) . 

From this we can compute 7(01,02) with success probability exactly 11/14, giving overall recovery 
probability 1/2 + 4e/7 as before. □ 

Combining the above reduction with the quantum random access code lower bound, we obtain 
the first f2(n) lower bound that holds for all 1-bit-answer 2-server PIRs, not just for linear ones. 
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Theorem 8 A classical 2-server PIR scheme with t-bit queries, 1-bit answers, and recovery prob- 
ability 1/2 + e, has t > (1 - #(1/2 + 4e/7))n - 2. 

Proof. We first reduce the 2 classical servers to 1 quantum server in the way of Theorem [5]. Now 
consider the state of the quantum PIR scheme after the user sends his (t + 2)-qubit message: 

\<!>i) =EvSk)^ (|0)|0,0*) + |l>|l,<Zi(r,z)) + |2>|2,g 2 (r J »))) . 

Here the p r are the classical probabilities of the user (these depend on i) and g,(r, i) is the t-bit 
query that the user sends to server j in the classical 2-server scheme, if he wants and has random 
string r. Letting B = {0* +1 } U {1, 2} x {0, 1}* be the server's basis states, we can write \4>i) as: 

\fr) = J2Ma lb )\b). 
beB 

Here the \an,) are pure states that do not depend on x. The coefficients are non-negative reals 
that do not depend on i, for otherwise a measurement of b would give the server information about 
i (contradicting privacy). The server then tags on the appropriate phase s& x , which is 1 for b = 0* +1 
and (-l) s j( x ><?j) for b = jqj, j G {1,2}. This gives 

\4>ix) = ^2 M a ib)Sbx\b). 
beB 

Now the following pure state will be a random access code for x 

\ipx) = hs bx \b), 

beB 

because a user can unitarily map |0)|6) i— ► |ctj&)|&) to map |0)|^ x ) i— ► \4>ix)i from which he can get 
Xi with probability p = 1/2 + 4e/7 by completing the quantum PIR protocol. The state \ip x ) has 
t + 2 qubits, hence from Theorem ^ we obtain t > (1 — H(p))n — 2. □ 

In Appendix [B| we extend this bound to classical 2-server PIR schemes with larger answer size. 

For the special case where the classical PIR outputs the XOR of the two answer bits, we can 
improve our lower bound to t > (1 — H(l/2 + s))n — 1. In particular, t > n — 1 in case of perfect 
recovery (e = 1/2), which is tight. Very recently but independently of our work, Beigel, Fortnow, 
and Gasarch || found a classical proof that a 2-server PIR with perfect recovery and 1-bit answers 
needs query length t > n — 2 (no matter whether it uses XOR or not). 

5.2 Upper bounds for quantum PIR 

The best known LDCs are derived from classical PIR schemes with 1-bit answers where the output 
is the XOR of the 1-bit answers that the user receives. By allowing quantum queries, we can 
reduce the number of queries by half to obtain more efficient LQDCs. Similarly, we can also turn 
the underlying classical A:-server PIR schemes directly into quantum PIR schemes with k/2 servers. 

Most interestingly, there exists a 4-server PIR with 1-bit answers and communication com- 
plexity 0(n 3 / 10 ) [f§ Example 4.2]. This gives us a quantum 2-server PIR scheme with 0(n 3 / 10 ) 
communication, improving upon the communication required by the best known classical 2-server 
PIR scheme, which has been 0(n 1//3 ) ever since the introduction of PIR by Chor et al. Q. In the 
introduction we mentioned also some upper bounds for k > 2, which are obtained similarly. 
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A Lower Bound for Quantum Random Access Codes 

As mentioned before, a quantum random access code is an encoding x 1— > p x , such that any bit Xi 
can be recovered with some probability p > 1/2 + e from p x . Below we reprove Nayak's [13| linear 
lower bound on the length m of such encodings. 

We assume familiarity with the following notions from quantum information theory, referring 
to 0, Chapters 11 and 12] for more details. Very briefly, if we have a bipartite quantum system 
AB (given by some density matrix), then we use A and B to denote the states (reduced density 
matrices) of the individual systems. S(A) = —Tr(Alog A) is the (Von Neumann) entropy of A; 
S(A\B) = S(AB) - S(B) is the conditional entropy of A given B; and S(A : B) = S{A) + S{B) - 
S(AB) = S(A) — S(A\B) is the mutual information between A and B. 

We define an n + m-qubit state XM as follows: 



2" 



^ \x){x\®p x . 



1 

x-e{o,i} n 

We use X to denote the first subsystem, Xi for its individual bits, and M for the second subsystem. 



By [14, Theorem 11.8.4] we have 



S(XM) = n + ^Yl %*) ^ n = S ( X )- 



Z X 



Since M has m qubits we have S(M) < m, hence 

S(X : M) = S(X) + S(M) - S(XM) < S(M) < m. 
Using a chain rule for relative entropy, and the subadditivity of Von Neumann entropy we get 

n n 

S(X\M) = ]T S(Xi\Xi . . . Xi_iM) < S(Xi\M). 

8=1 8=1 
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Since we can predict Xi from M with success probability p, Fano's inequality implies 

H(p) > S(Xi\M). 

In fact, Fano's inequality even applies under the weaker assumption that the success probability in 
predicting X, is p only when averaged over all x. Putting the above equations together we obtain 

n 

(1 - H{p))n < S(X) - S(Xi\M) < S(X) - S(X\M) = S(X : M) < m. 

i=l 



B Extension to Larger Alphabets 

In this section we extend our lower bounds for binary 2-query LDCs to the case of larger alphabets 
(and our bounds for binary 2-server PIR schemes to the case of larger answers). For simplicity we 
assume the alphabet is £ = {0, 1}^, so a query to position j now returns an £-bit string C(x)j. The 
definition of (q, 5, e)-LDC from Section |2.2| carries over immediately, with d(C(x),y) now measuring 
the Hamming distance between C{x) S T, m and y £ T, m . 

We will need the notion of smooth codes and their connection to LDCs as stated in [11]. 

Definition 3 C : {0, l} n — ► T, m is a (q, c, e) -smooth code if there is a classical randomized decoding 
algorithm A such that 

1. A makes at most q queries, non-adaptively. 

2. For all x and i we have Pi[A c ( x \i) = Xj\ > 1/2 + e 

3. For all x, i, and j, the probability that on input i machine A queries index j is at most c/m. 

Note that smooth codes only require good decoding on codewords C(x), not on y that are close 
to C(x). Katz and Trevisan [|ll], Theorem 1] established the following connection: 

Theorem 9 (Katz and Trevisan) Let C : {0, l} n — > S m be a (q, 5, e) -locally decodable code. 
Then C is also a (q,q/5,e)-smooth code. 

In order to prove the exponential lower bound for LDCs over non-binary alphabet X, we will 
reduce a smooth code over S to a somewhat longer binary smooth code that works well averaged 
over x. Then, we will show a lower bound on such average-case binary smooth codes in a way very 
similar to the proof of Theorem |j. The following key lemma was suggested to us by Luca Trevisan. 

Lemma 2 (Trevisan) Let C : {0, l} n — > S m be a (2,c,e)-smooth code. Then, there exists a 
(2, c-2 e ,e/2 2e )- smooth code C : {0, l} n -» {0, l} m ' 2 that is good on average, i.e., there is a decoder 
A such that for all i 6 [n] 



± E ?r[A^)=x l] >U± i . 



xe{o,i} n 

Proof. We form the new binary code C by replacing each symbol C(x)j € X of the old code by 
its Hadamard code, which consists of 2^ bits. The length of C'{x) is m ■ 2^ bits. The new decoding 
algorithm uses the same randomness as the old one. Let us fix the two queries j, k G [m] and the 
output function / : Y? —> {0, 1} of the old decoder. We will describe a new decoding algorithm 
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that is good for an average x and looks only at one bit of the Hadamard codes of each of a = C(x)j 
and b = C(x)k- 

First, if for this specific j,k,f we have Pr x [f(a,b) = Xj\ < 1/2, then the new decoder just 
outputs a random bit, so in this case it is at least as good as the old one for an average x. Now 
consider the case Pr x [/(a, b) = xi\ = 1/2 + 77 for some 77 > 0. Switching from the {0, l}-notation 
to the { — 1, l}-notation enables us to say that E x [f(a, b) ■ Xi] = 2r\. Viewing a and b as two £-bit 
strings, we can represent / by its Fourier representation: f(a,b) = J2s,tc[£\ fs,T Tlses a s Titer ^t 
and hence 



^ fs,rE x 
S,T 



n a s n bt ■ Xi 



Y,fs,TY[a s Ub t 

V S,T seS t£T 



E x [f{a,b)-Xi]=2ri. 



Averaging and using that |/s 0i t | < 1) it follows that there exist subsets So, To such that 

2t] 



E , 



n «s n 61 ■ Xi 

seSo teT 



> fs ,T E x 



J| a s Y[ h ■ Xi 

stSo teT 



> 



2 2£- 



Returning to the {0, l}-notation, we must have either 

Pr[5 • a © T • b = a*] > 1/2 + V /2 2e 



or 



Pr[5 • a © T • b = Xi ] < 1/2 - V /2 2£ , 



where So ■ a and To • b denote inner products mod 2 of ^-bit strings. Accordingly, either the XOR of 
the two bits So -a and To -b, or its negation, predicts Xi with average probability > 1/2 +r]/2 2i . Both 
of these bits are in the binary code C'(x). The c-smoothness of C translates into c- 2^-smoothness 
of C . Averaging over the classical randomness (i.e. the choice of j, k, and /) gives the lemma. □ 



This lemma enables us to modify our proof of Theorem || so that it works for non-binary 
alphabets S: 

Theorem 10 If C : {0,1}™ -> S m = ({0, l} £ ) m is a (2, 6, e) -locally decodable code, then 



forc=l- #(1/2 + 5e/2 u+1 ). 

Proof. Using Theorem ^ and Lemma ||, we turn C into a binary (2, 2^ +1 /<5, e/2 2 ^)-smooth code 
C that has average recovery probability 1/2 + e/2 2 ^ and length m' = m ■ 2 £ bits. Since its decoder 
XORs its two binary queries, we can reduce this to one quantum query without any loss in the 
average recovery probability (see the second remark following Theorem . 

We now reduce this quantum smooth code to a quantum random access code, by a modified 
version of the proof of Theorem |j. The smoothness of C implies that all amplitudes ay (which 

depend on 1) in the one quantum query satisfy ay < ^J2 e+1 /5m f . Hence there is no need to split 
the set of j's into A and B. Also, the control bit c will always be 1, so we can ignore it. 

Consider \U{x)) = -j= Y,fL i(-l) C(se) i \j), \A(x)) = E^i ^{-if^ \j), and POVM operator 

M = Jdm'/2 £+1 Y,j Th e probability that the POVM takes us from |J7(a?)) to M\U(x)) = 
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|^4(x)) is now (U (x)\M* M\U (x)) = 5/2 e+l . Hence \U(x)) forms a random access code with average 
success probability 



5 (I e\ ( S_\ 1 _ 1 Se 

The (1 — H(p))n lower bound for a quantum random access code holds even if the recovery proba- 
bility p is only an average over x, hence we obtain log(m') > (1 — H(p))n. □ 



We can also extend our linear lower bound on 2-server PIR schemes with answer length a = 1 
(Theorem |8|) to the case of larger answer length. We use the reduction from PIR to smooth codes 
given by Lemma 7.1 of [p~0|] : 

Lemma 3 (GKST) If there is a classical 2-server PIR scheme with query length t, answer length 
a, and recovery probability 1/2 + e, then there is a (2,3, e)- smooth code C : {0, l} n — > S m for 
S = {0,l} a andm<Q- 2*. 

Going through roughly the same steps as for the above LDC lower bound, we get: 

Theorem 11 A classical 2-server PIR scheme with t-bit queries, a-bit answers, and recovery prob- 
ability 1/2 + e, has t > Q(ne 2 /2 6a ). 
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